← Back to the Procurement Trust Center

AI Fact Sheet

AI Transparency Statement

Effective date: May 13, 2026 · Custodia, LLC

This fact sheet describes how the BidFedCMMC platform (the “Service”), operated by Custodia, LLC, uses artificial intelligence. We write it in plain language so that your IT, security, and leadership teams can evaluate the AI before you buy, and so your assessor can understand exactly what the AI touches. The framing follows the four functions of the NIST AI Risk Management Framework, GOVERN, MAP, MEASURE, and MANAGE, at a high level.

1. What the AI is, and what it is not

The BidFedCMMC platform is a CMMC compliance platform that uses AI as one governed feature. It is not an AI-first product. It is a CMMC firm's software with a governed AI assistant inside it. The AI is a drafting and review aid. It is not a decision-maker, not a system of record, and not a place your controlled data belongs.

2. Exactly what the AI does

The AI does two things, and only two things, with your content:

  • Drafts documents. It drafts your policies, procedures, and System Security Plan (SSP) narratives from the facts you provide. You review and edit everything before it counts.
  • Reviews evidence. It reviews each piece of evidence you upload to confirm the artifact supports the control you are working on, and to screen the artifact for anything resembling Controlled Unclassified Information (CUI) or export-control markings.

The AI never marks a control as met. Drafting and reviewing are the whole job. Every attestation is a human act performed by your people.

3. Your data and the AI

  • No CUI by design. Evidence on the Service shows configurations, settings, rosters, and logs, never controlled data. Uploads are screened for CUI and export-control markings and blocked when detected. No CUI is ever sent to the AI.
  • Segregated per client.Each organization's data is isolated, with a per-tenant encryption key.
  • Encrypted at rest. Evidence and sensitive fields are encrypted with AES-256-GCM using a per-tenant key, wrapped by a platform key backed by AWS Key Management Service (KMS). Destroying your key crypto-shreds your data.
  • Not used to train AI.Under the AI provider's commercial terms, your inputs and outputs are not used to train or improve AI models. API data is retained by the AI provider only for a limited period (30 days by default) for operational and safety purposes, then deleted. The BidFedCMMC platform sends no CUI to the AI.
  • Direct identifiers blocked in chat. Direct identifiers such as Social Security numbers, EINs, and card numbers typed into chat are blocked before they reach the AI.
  • Server to server, opaque identity. AI calls are made server to server; your browser never connects to the AI provider. Only an opaque, salted account hash is sent as an identifier, never your raw user or organization ID.
  • Tamper-evident logging. AI actions are logged for tamper-evidence using cryptographic hashes, not raw content.

4. Human oversight

A person on your team is always in the loop. The AI proposes drafts and flags evidence; your people confirm, edit, sign, and attest. There is no path by which the model completes an attestation or marks a control as met on its own. The actions that carry weight, editing a response, deleting evidence, and submitting an affirmation, are reserved for humans.

5. What we do not claim

Honesty is part of the control. So we are explicit about the claims we will not make:

  • We do not claim your evidence is never seen by AI. It is reviewed by AI when you upload it; that review is how the sufficiency and CUI screening works.
  • We do not claim zero data retention. That term is not contracted. The honest posture is limited retention by the AI provider, then deletion.
  • We do not claim that no personal data ever reaches the AI. Images and PDFs are not redacted by OCR before review, so our guidance is firm: upload configuration and settings, not documents containing personal or controlled data.

6. The AI provider and its attestations

The Service's primary AI provider is Anthropic, PBC, a U.S. company, used under its commercial terms. These are the provider's own third-party attestations, not Custodia's: Anthropic holds SOC 2 Type II, ISO 27001, and ISO/IEC 42001 (the AI management-system standard). Our other infrastructure sub-processors (AWS, Neon, Vercel, and Clerk) hold current third-party attestations as well. The full list is published at /subprocessors. Custodia, LLC has not completed a third-party audit of its own yet; see the certification note in our Procurement Trust Center.

7. Governance and roadmap

We operate baseline AI governance controls today: the no-CUI intake screen, per-tenant encryption, human-in-the-loop attestation, read-mostly AI tools, direct-identifier blocking, and tamper-evident logging described above. Mapped to the NIST AI Risk Management Framework at a high level:

  • GOVERN. AI is scoped as a governed feature with documented boundaries, human accountability for every attestation, and this public transparency statement.
  • MAP.The AI's two functions, drafting and evidence review, are defined narrowly, and the data classes it may touch exclude CUI by design.
  • MEASURE. Evidence review verdicts and AI actions are logged and hash-anchored so behavior can be inspected and reproduced.
  • MANAGE. Riskier actions stay human-only, direct identifiers are blocked at intake, and untrusted content is treated as data rather than instructions.

Formal, ISO/IEC 42001-aligned AI governance is on the roadmap. Details are available on request at security@bidfedcmmc.com.

8. Related documents

AI-generated content is software output, not legal or regulatory advice. You remain responsible for reviewing it before you act on it.